On September 29, 2020, the Department of Defense issued an interim rule to amend the DFARS to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification (“CMMC”) framework. This rule was issued to assess DoD contractor’s implementation of cybersecurity requirements within the entire supply chain. The new rule revised Part 204 to add policy (204.7302) and procedures (204.7303), a new Subpart 204.75 Cybersecurity Maturity Model Certification and three new contract clauses: 252.7019 Notice of NIST SP 800-171 DoD Assessment Requirements; 252.204-7020 NIST SP 800-171 DoD Assessment Requirements; and 252.204-7021 Contractor Compliance Maturity Model Certification Level Requirement.
This Interim Rule will take effect November 30, 2020, without comments. The Interim Rule does answer a few questions that have been open over the past year once the CMMC program was originally announced. First, these new cybersecurity requirements will apply to all DoD contractors, including commercial contractors. The only exception will be Commercial Off the Shelf (“COTS”) purchases. Second, the certifications will be valid for three years, although much like all other cybersecurity requirements, if something significant changes with your information system, you may need to get a new assessment/certification. Finally, the CMMC requirements will be applicable to all DoD solicitations, orders, and contracts by October 1, 2025.
DFARS 252.7019 and .7020 will generally be included in solicitations where the government has determined that the contract will include information that is medium or high based on the NIST SP 800-171 levels. These two clauses will be in addition to DFARS 252-204.7012, which are already required for many DoD contracts. These two clauses are more likely than not temporary clauses. The language in the proscription language for these clauses as well as the CCMC clause provides that there should not be any duplication of effort. Thus, once the CMMC requirements are applicable to all solicitations and orders, these clauses should become moot.
The requirements for the third clause (252.204-7021), DFARS 204.7303, provides for the phasing in of the CMMC requirement for all DoD contractors, except sellers of COTS. “(a) Until September 30, 2025, … if the requirement document or statement of work requires a contractor to have a specific CMMC level … [the inclusion] must be approved by OUSD(A&S). (b) On or after October 1, 2025, [the clause must be included] in all solicitations and contracts or task orders, including those using FAR part 12 procedures … except for solicitations for solicitations and contracts or orders solely for the acquisition of COTS items.”
In subsequent blogs over the next few weeks, I will update the CMMC program and describe what each of the three new DFARS clauses will cover and the potential impacts on DoD contractors.
If you want more information regarding these new cybersecurity requirements or would like to discuss this further, contact MWL Counsel Jody Reed.